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SYSTEM AND METHOD FOR USER AUTHENTICATION 

Priority Application 

This application claims the benefit of U.S. Provisional Application No. 
5 60/178, 175 filed January 26, 2000, entitled "System and Method for User Access 
Authentication," and incorporated herein by this reference. 

Field of the Invention 

The present invention relates to the field of user authentication systems 
10 and more particularly to a method and system of authenticating or verifying the 
identity of a user using biometric data about the user. 

Background of the Invention 

The task of authenticating or verifying the identity of a user requires a 

15 certain level of security in addition to the method by which the user is identified. 
A typical authentication system involves, for example, a user who has a smart 
card or perhaps simply a credit card. When the user presents himself or herself to 
the system, such as at an automatic teller machine (ATM), the user presents his or 
her credit card, which identifies the particular user by name and account nun±>ei\ 

20 The user then presents his or her personal identification number (PIN), or similar 
information known only to the user, and the presented information is sent to a 
host computer. The host computer, which is based on a database, can then 
identify the user by the user's name and, for example, by the particular PIN that 
the user is supposed to use. 

25 In the case when biometrics are used for authentication, the identification 

of the user can be done by presenting a biometric such as a fingerprint, the user's 
face, or the user's voice, to the system. In addition to that, when the user 
identifies himself or herself by presenting a biometric, such as a fingerprint, the 
system goes through the process of looking at a stored template of the user's 

30 fingerprint which was created in advance. The system compares the user's 
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presented fingerprint to the stored template and verifies that this is the same 
person, making its decision based on certain predefined parameters, such as 
threshold of match scores between the presented and stored biometric samples. 

5 Summary of the Invention 

It is a feature and advantage of the present invention to provide a method 
and system of authenticate a user with biometric data which allows the use of a 
high biometric recognition threshold to filter out as many impostors as possible, 
while at the same time minimizing the rate of false rejections. 

10 It is another feature and advantage of the present invention to provide a 

method and system of authenticate the user with biometric data which enables a 
lower rate of false rejections without increasing the rate of false acceptances. 

To achieve the stated and other features, advantages and objects, an 
embodiment of the present invention provides a method and system for 

15 authenticating the identity of a user by an authority that makes use of biometric 
data, which is what the user is, and additional information, which is what the user 
knows, for example, by presenting the biometric in a predefined manner, such as 
a predefined sequence. The predefined manner in which the biometric is 
presented, such as presenting the user's fingerprints in a predefined sequence, 

20 functions as the user's PIN. An embodiment of the present invention uses 
biometric data together with the predetermined sequence of presenting the 
biometric data to enable the user to gain access to a device, physical location, or 
network. 

The authentication method and system for an embodiment of the present 
25 invention can be augmented by requesting an additional shared secret, such as a 
PIN, or additional credentials, thus establishing multiple layers of authentication. 
Varying the layers of authentication results in greater or lesser security, and the 
accuracy for any given layer can be relaxed without compromising the integrity 
of the entire method. In order to minimize the risk of replay attack, the 
30 predetermined sequence may be different for consecutive accesses. 
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In an embodiment of the present invention, the user presents one or more 
user credentials for enrollment by an authority, such as a bank. The user 
credentials include, for example, one or more biometric templates for the user's 
fingerprint(s), face, voice and/or iris and/or one or more digital documents, such 
5 as a digital certificate and/or a digital signature for the user and/or one or more 
paper documents, such as a passport for the user. The user credential(s), which 
represent user authentication information, are stored for the user, for example, on 
a host computer, a local terminal, and/or a user token, such as a smart card, and 
the stored user credential(s) can be signed with the user's private key. 

10 In addition, one or more shared secrets is established between the user and 

the authority relating to a predefined shared secret manner for presenting each of 
one or more current user credentials to the authority, such as a predefined shared 
secret sequence of presenting the current user credential(s). Information, about 
the predefined shared secret, which functions in a manner analogous to a PIN for 

15 the user, is stored for the user in a database. The information about the shared 
secret(s) can be stored in the same database as the database storing the user 
credential(s), and both can be stored encrypted and digitally signed. 

One or more additional shared secrets for an embodiment of the present 
invention can include, for example, a predefined shared secret PIN for the user, 

20 one or more additional predefined shared secret manner(s) of presenting the 
current user credential(s) to the authority, a predefined shared secret manner of 
presenting one or more additional current user credential(s) to the authority for 
the user, and/or a predefined shared secret manner of presenting each of several 
additional current user credentials to the authority for the user. In addition, the 

25 predefined shared secret manner of presenting each of several additional current 
user credentials can include one or more variation(s) corresponding to a variation 
in a degree of security and/or for use on consecutive occasions, 

In an embodiment of the present invention, in order to authenticate the 
identity of the user, the user presents one or more current user credential(s), such 

30 as one or more current biometric samples for the user's fingerprint(s), face, voice, 
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and/or iris, to the authority in the predefined shared secret sequence(s). For 
example, the authority can direct the user to present a biometric sample for one or 
more user fingerprint(s) in a particular predefined shared secret sequence, or a 
combination of biometric samples for two or more of the user's fingerprints), 
5 face, voice, and/or iris in a predefined shared secret sequence. In another aspect, 
the shared secret manner of presenting the current user credential(s) involves, for 
example, presenting at least two user credentials by the authority in a predefined 
shared secret sequence, or in a manner directed by the authority, or in one of 
several predefined secret sequences randomly selected by the authority. 

10 The authority for an embodiment of the present invention authenticates the 

identity of the user based on a correspondence between the enrolled and current 
user credentials and a correspondence between the shared secret manner for 
presenting the current user credential(s) and the manner in which the current user 
credential(s) are presented to the authority. The authentication is performed, for 

1 5 example, by the host computer or the local device for activation of a device, such 
as a gate controller, a door opener, a telephone, or appliance, or for access, such 
as device access, physical location access, or network access. Other aspects of an 
embodiment of the present invention involve, for example, authenticating the 
identity of the user to a smart card or to activate a silent alarm for the user. 

20 Additional objects, advantages and novel features of the present invention 

will be set forth in part in the description which follows, and in part will become 
more apparent to those skilled in the art upon examination of the following or 
may be learned by practice of the invention. 

25 Brief Description of the Drawings 

Fig. 1 is a schematic diagram which shows an example of key components 
and the flow of information between the key components for the authentication 
method and system for an embodiment of the present invention; 

Fig. 2 is a table which illustrates examples of credentials, which represent 
30 what the user is or has, and shared secrets, which represent what the user knows, 
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for the authentication method and system of an embodiment of the present 
invention; 

Fig. 3 is a schematic diagram which illustrates an example of key 
components and the flow of information of a system storing authentication 
5 parameters in a local system for an embodiment of the present invention; 

Fig. 4 is a schematic diagram which illustrates an example of key 
components and the flow of information between the key components of a bank's 
system storing authentication parameters for an embodiment of the present 
invention; 

10 Fig. 5 is a schematic diagram which illustrates an example of key 

components and the flow of information between the key components of an 
authentication system with a four-corner network of trust for an embodiment of 
the present invention; 

Fig. 6 is a schematic diagram which illustrates and example of key 
1 5 components and the flow of information between the key components of a three- 
corner authentication system for an embodiment of the present invention with the 
user at a terminal such as the user's PC; 

Fig. 7 is a schematic diagram with illustrates an example of key 
components and the flow of information between the key components of an 
20 authentication system for an embodiment of the present invention with 
credentials, such as a biometric template, stored on a smart card; and 

Fig. 8 is a flow chart which illustrates an example of the process of user 
authentication for an embodiment of the present invention. 

25 Detailed Description 

Referring now in detail to an embodiment of the present invention, an 
example of which is illustrated in the accompanying attachments, Fig. 1 is a 
schematic diagram which shows an example of key components and the flow of 
information between the key components for the authentication method and 
30 system for an embodiment of the present invention. An aspect of the present 
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invention provides a method and system of authenticating a user 10 to the system 
14, such as an ATM system, which makes use of biometric data, which is what 
the user 10 is, and additional information, which is what the user 10 knows, for 
example, by presenting the biometric in a predefined manner, such as a 
5 predetermined sequence. 

Fig : 2 is a table which illustrates examples of credentials, which represent 
what the user is or has, and shared secrets, which represent what the user knows, 
for the authentication method and system of an embodiment of the present 
invention. The predefined manner in which the biometric 26 is presented, such as 

10 presenting the user's fingerprints 28 in a predetermined sequence 46, functions as 
the user's PIN 44. Thus, the user's fingerprints 28 are what the user 10 has, and 
the sequence 46 in which they are presented is what the user 10 knows. The 
method and system for user authentication identification for an embodiment of 
the present invention uses biometric data 26 and the predetermined sequence 46 

15 of presenting the biometric data 26 in order to gain access to a device, physical 
location, or network. 

This authentication method may be augmented by requesting an additional 
shared secret, such as a PIN 44, or additional credentials, such as documentation 
36, thus establishing multiple layers of authentication. Varying the layers of 

20 authentication results in greater or lesser security. Additionally, with multiple 
layers of authentication, the accuracy for any given layer can be relaxed without 
compromising the integrity of the entire method. In order to minimize the risk of 
replay attack, the predetermined sequence 46 may be different for consecutive 
accesses. The authentication process can be executed between the user 10 and a 

25 smart card or a trusted network. In a situation where the user 1 0 is in danger, a 
separate sequence 46 may be presented to alert die authentication system 14 that 
the user 10 is in danger. 

In addition to presentation and comparison of a biometric 26, such as a 
fingerprint 28, an aspect of an embodiment of the present invention involves die 

30 use, for example, of presentation and comparison of additional biometrics 26, 
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such as the user's voice 30 or face 32, a document 36, or perhaps a PIN 44, in 
effect, combining biometrics 26 and PIN 44 or other information in a single 
process. When the user 10 comes to the system 14 and presents a biometric 26, 
such as the user's fingerprint 28, the way in which the user 10 presents the 
5 fingerprint 28 is unique to the particular user 10. Further, only the particular user 
10 knows the way he or she presents the fingerprint 28. 

For example, in an embodiment of the present invention, the user's 
fingerprint 28 can be presented in particular time sequences 46, such as having 
the user present the same finger once and then remove it and present it again and 

10 then remove it again. The system 14 knows the specific sequence 46 which, like 
a PIN 44, identifies the particular user's knowledge. Alternatively, the user 10 
may present perhaps two or three fingerprints 28, such as first finger, then third 
finger, and then second finger, which is analogous to entering the numerals for a 
PIN 44. Another alternative aspect involves, for example, in addition to use of a 

1 5 fingerprint sequence 46, the system 1 4 can be preprogrammed to ask for some 
other additional information to help in the authentication process, such as a PIN 
44. 

Additionally, the system 14 for an embodiment of the present invention 
can be preprogrammed to randomly ask the user 10 to present additional 

20 credentials out of previously enrolled credentials to prevent a replay attack that 
might be attempted to defeat the authentication process. In order to avoid such a 
replay attack, some part of the secret is generated by the system 44 and another 
part is the shared secret 42 between the user 10 and the system 44 or authority, 
Thus, the authentication process is different each time, and if a third party records 

25 the sequence 46 and replays it, it will not work. A replay attack involves, for 
example, capturing the shared secret sequence 46, such as a fingerprint sequence 
46, by a recording device and attempting to defeat the authentication process by 
replaying the sequence 46. 

Authenticating the user 10, for example, to open the user's door at home 

.30 requires a relatively low level of security, and it may be adequate for the user 10 
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who wants a bioraetric authentication system to install a system which is based on 
the traditional approach, such as presenting one of the user's fingers for 
comparison of the fingerprint 28 with a system-stored template. For additional 
security, an embodiment of the present invention involves presentation and 
5 comparison, for example, of the fingerprint 28 of one finger and then another 
finger, to make it a little more secure. 

For much greater security, an embodiment of the present invention 
involves, for example, one or more of presentation and comparison of the user's 
face 32 with a system-stored template, a visual comparison of the user 10 with a 

10 photograph by a security person, and/or presentation of fingerprints 28 in a 

certain sequence 46. As an alternative for greater security, an embodiment of the 
present invention involves, for example, presenting different biometrics 26, such 
as the user's face 32, dien fingerprint 28, then iris 34 for comparison with system* 
stored templates in a particular sequence 46. 

15 An embodiment of the present invention also makes use of biometric 

authentication in combination, for example, with real or digital documents 36, 
such as certificates, passports, digital signatures, and anything else in addition to 
what a user usually presents. By presenting these additional things, the 
probability of acceptance of the user 10 is increased, and each of these particular 

20 presentations may not be required to be as highly secure as it would normally be 
required. Assume, for example, that the user 10 presents his face 32 to the system 
14 and says 'I am this person.' It is necessary to create a very high quality 
recognition system to understand that the picture is actually the person whose 
face 32 is presented to be able to compare it and to verify it properly. 

25 Likewise, if the user 1 0 presents a fingerprint 28 to the system 14 and 

says, 'I am this person/ it is necessary to have a template of the user's fingerprint 
28 created in the best environment available. In addition, the user's finger should 
be presented under the best possible conditions. For example, the presented 
finger should have no cuts, it should not be wet, and/or it should be at the proper 

30 temperature. If all of this occurs properly, then the system 14 may be able to 
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accept the user's fingerprint 28 with the desired level of security. However, if the 
user 10 presents the user's fingerprint 28, and a digital certificate 40, and the 
user's face 32, and perhaps something else in addition to the fingerprint 28, and if 
they are presented in a proper sequence 46, then it is not necessary for each of 
5 these parameters to be created in the best possible way, as would be necessary if 
only the user's fingerprint 28 were presented. 

In an embodiment of the present invention, those parameters can be stored 
in a particular device. However, is it not necessary that they be stored in a 
particular device. Fig. 3 is a schematic diagram which illustrates an example of 

1 0 key components and the flow of information of a system storing authentication 
parameters in a local system for an embodiment of the present invention. An 
aspect of an embodiment of the present invention makes use of a centralized 
system 14 as shown in Fig. 2, but the application for an embodiment of the 
present invention can equally well be stored in a local device 48 as shown in Fig. 

15 3. In any event, the parameters, thresholds or scores, or the way the templates are 
organized, are in one way or another stored in a central system 14 or alocal 
device 48. 

Another aspect of an embodiment of the present invention involves storing 
the parameters in the place where the particular verification actually occurs. In a 

20 system, for example, which verifies everything on a smart card, the user 

authenticates himself or herself to tire smart card. However, in most cases, after 
the user authenticates himself or herself via the smart card, the user must still 
authenticate the smart card to something else. 

Assume, for example, that the user needs to do authentication to a 

25 merchant or to a bank. Fig. 4 is a schematic diagram which illustrates an example 
of key components and the flow of information between the key components of a 
bank's system storing authentication parameters for an embodiment of the present 
invention. If the user's bank 50 has all the parameter information stored in the 
bank's database 54, the user 10 can present his or her face 32, fingerprint 28, 

30 and/or certificate, and all of this information can be authenticated through the 
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bank 50 where the user 10 actually wants to authenticate himself or herself. Of 
course, a bank or a merchant can attempt to authenticate the user 10 in another 
place, with the user saying, in effect, 'I have this information about me in another 
place/ such as bank 50. If the merchant believes this is true and/or, for example, 
5 has a relationship with the bank 50, it can go through the authentication also. 

For example, referring to Fig. 4, assume that the user 10 goes to a place, 
such as the merchant with a terminal 12, and says to the merchant, C I want to buy 
something from you.' The merchant says 'Okay, can you prove that you are the 
person who you say you are? The user 10 responds, C I cannot prove it to you, but 

10 I can prove it to my bank. * If the user 1 0 has a relationship with the bank 50, and 
if the merchant also has a relationship with the bank 50, then the user 10 and the 
merchant can go together to the bank 50. The bank 50 acts as a sort of arbitrator 
which says, 'Okay, you people are really the people who you say you are/ That 
means that the merchant can go to the bank 50 and verify that this particular user 

15 10 who wants to buy something from the merchant actually belongs to the bank 
50 and is capable of paying. This merchant-user-single bank entity relationship is 
referred to as a three-corner model 

An aspect of an embodiment of the present invention also involves 
expanding the relationship from a merchant-user-single bank entity relationship 

20 to a network of trust, for example, where all of the participants in the 

authentication process belong to the same association or the same network of 
trust. Fig. 5 is a schematic diagram which illustrates an example of key 
components and the flow of information between the key components of an 
authentication system with a four-comer network of trust for an embodiment of 

25 the present invention. Thus, the user 10 can have a relationship with the bank 50 
which shares the same network of trust 58 with another bank 56 with which the 
merchant has a relationship. In other words, the user 10 and the merchant have 
relationships with different banks 56, 50, but the different banks share a trusted 
network 58, and the same authentication process can be used. 
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For example, referring to Fig. 5, we have the user's bank 50, the 
merchant's bank 56, the user 10, and the merchant, and the two banks 56, 50 are 
different With the network of trust 58 established between the two banks 56, 50, 
the same authentication process can be used even though the user 10 has a 
5 relationship with a different bank from the merchant. Further, the network of 
trust 58 can include any number of banks. If the user 10 related to one bank 50 
wishes to authenticate to the merchant related to another bank 56, in order to 
accomplish the four comer model, the user 10 goes to the merchant's terminal 12 
and passes his or her credentials 24 through the merchant's terminal 12 in a 

1 0 predefined sequence 46. If it is within a trusted area 58, the merchant passes that 
sequence 46 to the merchant's bank 56, and the merchant's bank 56 passes that 
sequence 46 to the user's bank 50. The user's bank 50 identifies the user 10, and 
the authentication is passed back to the merchant. In such case, the merchant's 
bank 56 acts as a sort of proxy in the authentication process. 

1 5 Referring again to Fig. 4, an embodiment of the present invention makes 

use, for example, of a terminal 12 to which the user 10 presents his or her 
information 24, such as biometrics 26, at certain times in a certain sequence 46. 
Assume that the user 10 comes to a merchant and wants to buy something, and 
that the merchant has a terminal 12 which the user 1 0 knows that he or she can 

20 trust. Obviously, it is very important that the user 10 will not provide his or her 
information 24 to a terminal that he or she should not trust. The user 10 sees that 
there is a terminal 12 that he or she can trust, and the user 10 can present his or 
her information 24. It is important that this information 24 is not identified at the 
particular terminal 12 but is passed to something that the merchant and the user 

25 10 both together trust, such as the bank 50. The bank 50 makes the decision that 
this particular user 10 is exactly who he or she says and has enough money in his 
or her account that the merchant can accept the user's promise to pay. 

One way of accomplishing this is simply by the user presenting his or her 
credit card in the presence of the merchant, as is presently done today. However, 

30 in an embodiment of the present invention, another way of accomplishing this is 
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that if the user 10 is trying to buy something from the merchant but, for example, 
is sitting at home at a terminal 12, such as the user's personal computer (PC), the 
user 10 needs to communicate to the merchant in a way in which he or she feels 
comfortable. Fig. 6 is a schematic diagram which illustrates and example of key 
5 components and the flow of information between the key components of a three 
corner authentication system for an embodiment of the present invention with the 
user at a terminal such as the user's PC. The merchant 60 does not verify the 
user's fingerprint 28 but passes the fingerprint 28 to the bank 50 to which both 
the user 10 and the merchant 60 belong. The bank 50 verifies that the user 10 is 

10 who he or she says and confirms the particular transaction. 

On the user's side, the user 10 is at his or her PC 62 at home and has, for 
example, a device 64 attached to the PC 62, which can accept the user's 
fingerprint 28. The user 10 applies, for example, one finger, and then applies 
another finger, and sends all this information 24 to the merchant 60, and the 

15 merchant 60 passes this information 24 to the bank 50. Based, for example, on 
the user's name and fingerprint or fingerprints 28 presented, the bank 50 verifies 
that the user 10 is who he or she says and also verifies the sequence 46 in which 
the user 1 0 presented his or her fingerprint or fingerprints 28. This is the user's 
PIN 44, which should be good enough for the bank 50 to make a decision that the 

20 user 10 is who he or she claims to be, safely and securely, and to authorize the 
transaction. 

An aspect of an embodiment of the present invention involves storing the 
authentication information, such as a biometric template, that is normally stored 
at the host computer 52 at the bank 50, for example, on a smart card. Fig. 7 is a 

25 schematic diagram with illustrates an example of key components and the flow of 
information between the key components of an authentication system for an 
embodiment of the present invention with credentials, such as a biometric 
template, stored on a smart card. When the authentication information is stored 
on the smart card 66, the user 10 can identify himself or herself to the particular 

30 smart card 66. In some cases, that is a secure enough process, butin many cases 



12 



WO 01/56213 



PCT/USO 1/02488 



it may not be. If the user 10 has a smart card 66 in his or her possession and can 
identify himself or herself to that smart card 66, that basically verifies that the 
particular user 10 is the person who is actually using the smart card 66 and is 
okay. 

5 Codes are used to open the smart card 66. For example, the user 10 

presents his or her fingerprint 28 to the smart card 66 and presents a PIN 44 to the 
smart card 66 and opens the smart card 66, and the smart card 66 has enough 
information to be secure. Assume that the user 10 has, for example, a digital 
signature or digital certificate 40 which was signed by someone else. The user 10 

10 can use that particular digital signature 40 safely sitting on the user's smart card 
66 to authenticate himself or herself, but basically the user's smart card 66, to the 
host computer 18. On the other hand, in an embodiment of the present invention, 
the user 10 can present his or her biometric information 26 with the user's PIN 44 
to the host computer 18 as shown in Fig, 1, and the smart card 66 is not needed. 

1 5 Thus, it is not necessary for the user 1 0 to have the smart card 66 or anything 
else, but simply to present himself or herself, and it becomes unnecessary to 
authenticate the smart card 66 and then solve some other problem to prove that it 
was signed by the proper authority and that the authority is trusted and the like. 
A smart card aspect of an embodiment of the present invention can make 

20 use of an application which enables adjustment of the threshold depending on the 
environment. Thus, if a more secure application is wanted, the threshold is 
moved in a direction to prevent false acceptances, and for a less secure 
application, the threshold can be relaxed up to the point that virtually any time the 
user 10 presents a biometric 26, he or she is accepted. In an embodiment of the 

25 present invention, the threshold can be adjusted, additional information can be 
presented by the user 10, and the threshold can be certified and re-locked to make 
the smart card 66 work in a more secure way even if the threshold is locked. 

After the smart card 66 is authenticated, it is not a particular benefit to the 
user 10 to authenticate to the user's own smart card 66, since the user 10 already 

30 knows to his or own satisfaction that it is the user's own smart card 66. However, 
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the point is that no one else can use the user's smart card 66. After the user 10 
authenticates himself or herself to the smart card 66, then the user 10 needs to 
authenticate the smart card 66 to the host computer 18. In an aspect of an 
embodiment of the present invention, the user 10 can go directly to the host 
5 computer 1 8 and authenticate himself or herself without the smart card 66. 
However, the modality that the smart card 66 serves in an embodiment of the 
present invention is that security people of organizations, such as financial 
institutions, typically want two authenticating items rather than a single 
authenticating item, 

1 0 On the other hand, in an embodiment of the present invention, the user 1 0 

can present his or her biometrics 26, which is who the user 10 is, and the user 10 
can present his or her PIN 44 in the form of the sequence 46 of the biometric 
presentation, which is what only the user knows, so that there are those two 
authenticating items. If one takes the position that the security people would like 

15 to have something physical, while the user's fingerprint 28 is physical, it is not an 
element issued by the financial institution, such as a PIN 44 issued by the 
financial institution. Yet, it may be considered something physical, in that the 
financial institution knows the particular sequence 46 of biometrics presentation, 
which is a form of the PIN 44. 

20 The user authentication process for an embodiment of the present 

invention includes, for example, user enrollment, the establishment of a shared 
secret 42, and identification and verification of the user 10. Fig. 8 is a flow chart 
which illustrates an example of the process of user authentication for an 
embodiment of the present invention. At SI, the user 10 enrolls by presenting the 

25 user's credentials 24, such as one or more biometrics 26 to an authority, such as a 
host computer 18. The user 10 and the authority work together to make sure that 
all of the user's credentials 24, such as the user's biometrics 26 and/or real or 
digital documents 36 for the user 10, are securely acceptable and verifiable by the 
authority 1 8. These credentials 24 represent what the user is or has. 
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At S2, a shared secret 42 is established between the user 10 and the 
authority 18, which consists, for example, of a predefined sequence 46 of 
presenting the previously enrolled user's biometrics 26 and/or other predefined 
credentials 24, such as documentation 36 in the form of passports, certificates, or 
5 the like, in digital form 40, paper form 38, or other suitable form. The sequence 
46 of presenting the credentials 24 represents what the user 10 and the authority 
18 know. At S3, identification and verification of the user 10 involve, for 
example, the user 10 presenting the user's credentials 24 in the predefined secret 
sequence 46 and the authority 18 identifying and verifying the user 10 based on 

1 0 the combination of user presented credentials 24 and predefined shared secret 
sequence 46, In an aspect of an embodiment of the present invention, user 
credentials 24, such as fingerprints 28, can be relaxed in the foregoing user 
authentication process, because of the pre-defined shared secret 42. For example, 
the thresholds for acceptance of each fingerprint template can be lowered, and 

1 5 imposters will still be rejected, because imposters will not know the predefined 
shared secret 42. 

In an embodiment of the present invention, the verification parameters of 
user credentials 24, such as threshold levels for matching of fingerprints 28, the 
quality of scanners, or the tolerance to input biometrics 26, such as the case of 

20 cuts on a user's finger, can be controlled by the authority, such as the host 
computer 18, in the user authentication process, depending on the risk of the 
application run by the authority 18 and the strength of the predefined shared 
secret 42. The strength of the secret 42 is controlled by the authority 1 8 and 
forces the user 10 to present the user's credentials 24 under the directions of the 

25 authority 18. For a lower level of security, this can be by presenting one or more 
fingerprints 28, For a higher level of security, it can be verification of 
fingerprints 28, voice 30, and iris 34 of the user 10 in the predefined sequence 46. 
At the same time, the authority 18 can adjust the threshold levels for each 
biometric template to a lower or higher level to allow a desired level of control of 

30 the secure access. 
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In an aspect of the user authentication process for an embodiment of the 
present invention, the authority, such as host computer 18 is a financial 
organization, such as a bank 50, and the user's digital credentials 40 or copies of. 
the user's actual documents 36 are stored in a database 54 of the bank 50. The 
5 shared secret 42 is known as the user's PIN 44 and is stored in the same database 
54. The user 1 0 can present the user's credential to the bank 50 in the predefined 
shared secret sequence 46 and receive, for example, all bank services. The 
system for an embodiment of the present invention is designed in such a way that 
the representatives of the authority 18 do not know the shared secrets 42 of the 

10 user 10, although it is stored in the authority's database 54. For example, the 
shared secret 42 can be stored encrypted and digitally signed. 

In another aspect of user authentication for an embodiment of the present 
invention, the user 10 has one or more shared sequences 46 with the authority 18 
so that a silent alarm can be activated if the user 10 is in danger. In a further 

1 5 aspect of user authentication for an embodiment of the present invention, the user 
10 has one or more shared sequences 46 with the authority 18, so that the 
authority 1 8 can request which sequence 46 to use to prevent a replay attack. In 
an additional aspect of user authentication for an embodiment of the present 
invention, the authority 1 8 can randomly request the user 10 to present additional 

20 credentials out of previously enrolled credentials 24 to prevent a replay attack. 

In yet a further aspect of user authentication for an embodiment of the 
present invention, the authority 18 takes the form of a user token, such as a smart 
card 66. The user credentials 24, such as fingerprints 28, are stored in the user's 
smart card 66. The shared secret 42 is also stored on the smart card 66. The user 

25 10 can present his credentials 24 to the smart card 66 in the predefined shared 
secret sequence 46 and open the smart card 66 for its normal usage. In this 
aspect, the user's credentials 24, such as biometric templates, digital certificates, 
and the like, verification parameters, and shared secrets 42 can be signed with the 
user's private key and stored locally for fraud prevention, such as smart card 

30 tampering. 
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In still another aspect of user authentication for an embodiment of the 
present invention, the authority 18 is in the form of a local device 48, such as a 
front gate controller, garage opener, telephone or television activator, or the like. 
The local device 48 has its own secure local database or may use a remote 
5 database for additional security. The user credentials 24, such as fingerprints 28, 
are stored in the database of the local device 48, together with the shared secret 
42. The user 10 can present the credentials 24 to the local device 48 in the 
predefined shared secret sequence 46 and open or activate the local device 48 for 
its normal usage. 

1 0 Various preferred embodiments of the present invention have been 

described in fulfillment of the various objects of the invention. It should be 
recognized that these embodiments are merely illustrative of the principles of the 
present invention. Numerous modifications and adaptations thereof will be 
readily apparent to those skilled in the art without departing from the spirit and 

1 5 scope of the present invention. 
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What is claimed is: 

1 , A method for authenticating the identity of a user by an authority, 
comprising: 

enrolling at least one credential for the user with the authority; 
5 establishing at least one shared secret between the user and the 

authority relating to a predefined shared secret manner for presenting a current 
user credential to the authority; 

receiving at least one currently presented user credential by the 
authority for authentication of the identity of the user; and 
10 authenticating the identity of the user by the authority based on a 

correspondence between the enrolled and current user credentials and a 
correspondence between the shared secret manner for presenting the current user 
credential and the manner in which the current user credential is presented to the 
authority. 

15 2. The method of claim 1 , wherein enrolling the user credential 

further comprises receiving the user credential by the authority for enrollment. 

3. The method of claim 2, wherein receiving the user credential for 
enrollment further comprises storing the user credential by the authority. 

4. The method of claim 3, wherein storing the user credential further 
20 comprises storing at least one biometric template for the user. 

5. The method of claim 3, wherein storing the user credential further 
comprises storing a document for the user. 

6. The method of claim 3, wherein storing the user credential further 
comprises storing the user credential on one of a host computer, a local terminal, 

25 and a smart card for the user. 

7. The method of claim 1, wherein enrolling the user credential 
further comprises enrolling at least one biometric template and at least one 
document for the user. 
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8, The method of claim 7, wherein enrolling the biometric template 
further comprises enrolling the biometric template for at least one of a fmgeiprint 
template, a face template, a voice template, and an iris template for the user. 

9, The method of claim 7, wherein enrolling the document further 

5 comprises enrolling at least one of a digital document and a paper document for 
the user. 

1 0, The method of claim 9, wherein enrolling the digital document 
further comprises enrolling at least one of a digital certificate and a digital 
signature for the user. 

10 11. The method of claim 9, wherein enrolling the paper document 

further comprises enrolling a passport for the user. 

12. The method of claim 1, wherein enrolling the user credential with 
the authority further comprises storing user authentication information on a user 
token for the user. 

15 13, The method of claim 12, wherein storing the information on the 

user token further comprises storing the user authentication information on a 

smart card for the user. 

14. The method of claim 13, wherein storing the information on the 

smart card further comprises storing biometric information for the user. 
20 15. The method of claim 14, wherein storing the biometric 

information for die user further comprises storing biometric information for one 

of a fingerprint, a face, a voice, and an iris for the user. 

16. The method of claim 13, wherein storing the information on the 
smart card further comprises storing the shared secret for the user on the smart 

25 card. 

17. The method of claim 13, wherein storing tie information on the 
smart card further comprises storing the authentication information on the smart 
card signed with a private key for the user. 
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18. The method of claim 1, wherein enrolling the user credential 
further comprises enrolling at least one additional credential for the user with the 
authority. 

19. The method of claim 1, wherein establishing the predefined shared 
5 secret manner of presenting the user credential further comprises establishing at 

least one predefined shared secret sequence of presenting the current user 
credential to the authority. 

20. The method of claim 19, wherein establishing the predefined 
shared secret sequence of presenting the current user credential further comprises 

1 0 establishing the predefined shared secret sequence which functions in a manner 
analogous to a personal identification number for the user. 

21 . The method of claim 1 , wherein establishing the shared secret 
further comprises storing information about the shared secret by the authority. 

22. The method of claim 21 , wherein storing the information about the 
1 5 shared secret by the authority further comprises storing the information about the 

shared secret and the user credential together in a database by the authority. 

23. The method of claim 22, wherein storing the information about the 
shared secret and the user credential in the database further comprises storing the 
information about the shared secret and the user credential encrypted and digitally 

20 signed. 

24. The method of claim 1, wherein establishing the shared secret 
further comprising establishing at least one additional shared secret between the 
user and the authority. 

25. The method of claim 24, wherein establishing the additional shared 
25 secret further comprises establishing a predefined shared secret personal 

identification number for the user. 

26. The method of claim 24, wherein establishing the additional shared 
secret further comprises establishing at least one additional predefined shared 
secret manner of presenting the current user credential to the authority for the 

30 user. 
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27. The method of claim 24, wherein establishing the additional shared 
secret further comprises establishing a predefined shared secret manner of 
presenting at least one additional current user credential to the authority for the 
user. 

5 28. The method of claim 24, wherein establishing the additional shared 

secret further comprises establishing a predefined shared secret manner of 
presenting each of a plurality of additional current user credentials to the 
authority for the user. 

29. The method of claim 28, wherein establishing the predefined 

1 0 shared secret manner of presenting of each of the plurality of additional current 
user credentials further comprises establishing a variation of the predefined 
shared secret manner of presenting each of the additional current user credentials 
to the authority for the user corresponding to a variation in a degree of security. 

30. The method of claim 28, wherein establishing the predefined 

1 5 shared secret manner of presenting each of the plurality of additional current user 
credentials further comprises establishing a variation of the predefined shared 
secret manner of presenting each of the additional current user to the authority for 
the user for consecutive occasions. 

3 1 . The method of claim 1 , wherein receiving the currently presented 
20 user credential further comprises receiving the current user credential by the 

authority in a predefined shared secret sequence. t 

32. The method of claim 1, wherein receiving the currently presented 
user credential further comprises receiving a current biometric sample by the 
authority. 

25 33. The method of claim 32, wherein receiving the current biometric 

sample by the authority further comprises receiving a current biometric sample 
for one of a fingerprint, a face, a voice, and an iris for the user. 

34. The method of claim 1, wherein receiving the currently presented 
user credential further comprises receiving the current user credential by the 

30 authority from the user in a shared secret manner directed by the authority. 
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35. The method of claim 34, wherein receiving the current user 
credential in the manner directed by the authority further comprises directing the 
user by the authority to present a biometric sample for at least one user 
fingerprint. 

5 36. The method of claim 34, wherein receiving the current user 

credential in the manner directed by the authority further comprises directing the 
user by the authority to present a combination of biometric samples for at least 
two of a user fingerprint, a user face, a user voice, and a user iris in a predefined 
shared secret sequence. 
1 0 37. The method of claim 1 , wherein receiving the current user 

credential further comprises receiving at least one additional currently presented 
user credential by the authority. 

38. The method of claim 37, wherein receiving the current user 
credential further comprises receiving at least one additional currently presented 

1 5 user credential by the authority in a manner directed by the authority. 

39. The method of claim 37, wherein receiving the current user 
credential further comprises receiving at least one additional currently presented 
user credential by the authority in one of a plurality of randomly selected 
predefined shared secret sequences as directed by the authority. 

20 40 - The method of claim 1 , wherein authenticating the identity of the 

user by the authority further comprises authenticating the identity of the user by 
one of a host computer and a local device. 

41. The method of claim 40, wherein authenticating the identity of the 
user by the local device further comprises authenticating the identity of the user 

25 for activation one of a gate controller, a door opener, a telephone, and an 
appliance. 

42. The method of claim 1, wherein authenticating the identity of the 
user by the authority further comprises authenticating the identity of the user 
based on the enrolled user credential and the shared secret manner for presenting 
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the current user credential stored together in one of a local database and a remote 
database of the authority. 

43 . The method of claim 1 , wherein authenticating the identity of the 
user by the authority further comprises authenticating the identity of the user in 

5 order for access to one of a device, a physical location, and a network. 

44. The method of claim 1 , wherein authenticating the identity of the 
user by the authority further comprises authenticating the identity of the user to a 
smart card. 

45 . The method of claim 1 , wherein authenticating the identity of the 
10 user by the authority further comprises authenticating the identity of the user to 

activate a silent alarm for the user. 

46. A system for authenticating the identity of a user by an authority, 
comprising: 

means for enrolling at least one credential for the user with the 

15 authority; 

means for establishing at least one shared secret between the user 
and the authority relating to a predefined shared secret manner for presenting a 
current user credential to the authority; 

means for receiving at least one currently presented user credential 
20 by the authority for authentication of the identity of the user; and 

means for authenticating the identity of the user by the authority 
based on a correspondence between the enrolled and current user credentials and 
a correspondence between the shared secret manner for presenting the current 
user credential and the manner in which the current user credential is presented to 
25 the authority. 

47. The system of claim 46, wherein the means for enrolling the user 
credential further comprises means for receiving the user credential by the 
authority for enrollment. 
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48. The system of claim 47, wherein the means for receiving the user 
credential for enrollment further comprises means for storing the user credential 
by the authority. 

49. The system of claim 48, wherein the means for storing the user 

5 credential further comprises means for storing at least one biometric template for 
the user. 

50. The system of claim 48, wherein the means for storing the user 
credential further comprises means for storing a document for the user. 

5 1 . The system of claim 483, wherein the means for storing the user 

1 0 credential further comprises means for storing the user credential on one of a host 
computer, a local terminal, and a smart card for the user. 

52. The system of claim 46, wherein the means for enrolling the user 
credential further comprises means for enrolling at least one biometric template 
arid at least one document for the user. 

1 ^ 53 . The system of claim 52, wherein the means for enrolling the 

biometric template further comprises means for enrolling the biometric template 
for at least one of a fingerprint template, a face template, a voice template, and an 
iris template for the user, 

54. The system of claim 52, wherein the means for enrolling the 

20 document further comprises means for enrolling at least one of a digital document 
and a paper document for the user. 

55. The system of claim 54, wherein the means for enrolling the digital 
document further comprises means for enrolling at least one of a digital certificate 
and a digital signature for the user. 

25 56 « The system of claim 54, wherein the means for enrolling the paper 

document further comprises means for enrolling a passport for the user. 

57, The system of claim 46, wherein the means for enrolling the user 
credential with the authority further comprises means for storing user 
authentication information on a user token for the user. 
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58. The system of claim 57, wherein the means for storing the 
information on the user token further comprises means for storing the user 
authentication information on a smart card for the user, 

59. The system of claim 58, wherein the means for storing the 

5 information on the smart card further comprises means for storing biometric 
information for the user. 

60. The system of claim 59, wherein the means for storing the 
biometric information for the user further comprises means for storing biometric 
information for one of a fingerprint, a face, a voice, and an iris for the user. 

10 61. The system of claim 58, wherein the means for storing the 

information on the smart card further comprises means for storing the shared 
secret for the user on the smart card, 

62. The system of claim 58, wherein the means for storing the 
information on the smart card further comprises means for storing the 

1 5 authentication information on the smart card signed with a private key for the 
user. 

63. The system of claim 46, wherein the means for enrolling the user 
credential further comprises means for enrolling at least one additional credential 
for the user with the authority. 

20 64. The system of claim 46, wherein the means for establishing the 

predefined shared secret manner of presenting the user credential further 
comprises means for establishing at least one predefined shared secret sequence 
of presenting the current user credential to the authority. 

65. The system of claim 64, wherein the means for establishing the 

25 predefined shared secret sequence of presenting the current user credential further 
comprises means for establishing the predefined shared secret sequence which 
functions in a manner analogous to a personal identification number for the user, 

66. The system of claim 46, wherein the means for establishing the 
shared secret further comprises means for storing information about the shared 

30 secret by the authority. 
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67. The system of claim 66, wherein the means for storing the 
information about the shared secret by the authority further comprises means for 
storing the information about the shared secret and the user credential together in 
a database by the authority. 
5 68. The system of claim 67, wherein the means for storing the 

information about the shared secret and the user credential in the database further 
comprises means for storing the information about the shared secret and the user 
credential encrypted and digitally signed. 

69. The system of claim 46, wherein the means for establishing the 

1 0 shared secret further comprising establishing at least one additional shared secret 
between the user and the authority. 

70. The system of claim 69, wherein the means for establishing the 
additional shared secret further comprises means for establishing a predefined 
shared secret personal identification number for the user. 

15 71. The system of claim 69, wherein the means for establishing the 

additional shared secret further comprises means for establishing at least one 
additional predefined shared secret manner of presenting the current user 
credential to the authority for the user. 

72. The system of claim 69, wherein the means for establishing the 
20 additional shared secret further comprises means for establishing a predefined 

shared secret manner of presenting at least one additional current user credential 
to the authority for the user. 

73. The system of claim 69, wherein the means for establishing the 
additional shared secret further comprises means for establishing a predefined 

25 shared secret manner of presenting each of a plurality of additional current user 
credentials to the authority for the user. 

74. The system of claim 73, wherein the means for establishing the 
predefined shared secret manner of presenting of each of the plurality of 
additional current user credentials further comprises means for establishing a 

30 variation of the predefined shared secret manner of presenting each of the 
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additional current user credentials to the authority for the user corresponding to a 
variation in a degree of security, 

75. The system of claim 73, wherein the means for establishing the 
predefined shared secret manner of presenting each of the plurality of additional 

5 current user credentials further comprises means for establishing a variation of 
the predefined shared secret manner of presenting each of the additional current 
user to the authority for the user for consecutive occasions. 

76. The system of claim 46, wherein the means for receiving the 
currently presented user credential further comprises means for receiving the 

10 current user credential by the authority in a predefined shared secret sequence. 

77. The system of claim 46, wherein the means for receiving the 
currently presented user credential further comprises means for receiving a 
current biometric sample by the authority. 

78. The system of claim 77, wherein the means for receiving the 

1 5 current biometric sample by the authority further comprises means for receiving a 
current biometric sample for one of a fingerprint, a face, a voice, and an iris for 
the user. 

79. The system of claim 46, wherein the means for receiving the 
currently presented user credential further comprises means for receiving the 

20 current user credential by the authority from the user in a shared secret manner 
directed by the authority. 

80. The system of claim 79, wherein the means for receiving the 
current user credential in the manner directed by the authority further comprises 
means for directing the user by the authority to present a biometric sample for at 

25 least one user fingerprint. 

8 1 . The system of claim 79, wherein the means for receiving the 
current user credential in the manner directed by the authority further comprises 
means for directing the user by the authority to present a combination of 
biometric samples for at least two of a user fingerprint, a user face, a user voice, 

30 and a user iris in a predefined shared secret sequence. 
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82. The system of claim 46, wherein the means for receiving the 
current user credential further comprises means for receiving at least one 
additional currently presented user credential by the authority. 

83. The system of claim 82, wherein the means for receiving the 
5 current user credential further comprises means for receiving at least one 

additional currently presented user credential by the authority in a manner 
directed by the authority. 

84. The system of claim 82, wherein the means for receiving the 
current user credential further comprises means for receiving at least one 

1 0 additional currently presented user credential by the authority in one of a plurality 
of randomly selected predefined shared secret sequences as directed by the 
authority. 

85. The system of claim 46, wherein the means for authenticating the 
identity of the user by the authority further comprises means for authenticating 

15 the identity of the user by one of a host computer and a local device. 

86. The system of claim 85, wherein the means for authenticating the 
identity of the user by the local device further comprises means for authenticating 
the identity of the user for activation one of a gate controller, a door opener, a 
telephone, and an appliance. 

20 87. The system of claim 46, wherein the means for authenticating the 

identity of the user by the authority further comprises means for authenticating 
the identity of the user based on the enrolled user credential and the shared secret 
manner for presenting the current user credential stored together in one of a local 
database and a remote database of the authority. 

2 5 88. The system of claim 46, wherein the means for authenticating the 

identity of the user by the authority further comprises means for authenticating 
the identity of the user in order for access to one of a device, a physical location, 
and a network. 
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89. The system of claim 46, wherein the means for authenticating the 
identity of the user by the authority further comprises means for authenticating 
the identity of the user to a smart card. 

90. The system of claim 46, wherein the means for authenticating the 
5 identity of the user by the authority further comprises means for authenticating 

the identity of the user to activate a silent alarm for the user. 

91 . A method for authenticating the identity of a user by an authority, 
comprising: 

enrolling a plurality of credentials for the user with the authority; 

0 establishing a shared secret between the user and the authority 

relating to a predefined shared secret manner of presenting a current user 
credential corresponding to each of the plurality of enrolled user credentials; 

receiving a presentment of at least one current user credential by 
the authority for authentication of the identity of the user; and 

5 authenticating the identity of the user by the authority based on a 

correspondence between the enrolled and current user credentials and a 
correspondence between the shared secret manner for presenting the current user 
credential and the manner in which the current user credential is presented to the 
authority. 
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